The financial services sector is often regarded as a benchmarkof IT and security. This leadership position, however, also comesat a price: Financial services was one of the first industries tobe impacted by cybercrime. That comes at little surprise – as thetall tale of Willy Sutton (a prolific bank robber) tells us, whenasked by a reporter why he robbed banks, he simply replied,“Because that's where the money is.” The latest research from PwCshows that cybercrime accounted for 39% of financial serviceseconomic crime, compared to 17% in other industries.

One estimate suggests financial services companies will spend$2.6 billion by 2016 on protecting networks and other cybersecurityefforts. The cost of compliance, when graphed alongside securityspending, represents a similar trend. Namely, the effort andresources exhausted on compliance is also on a steep incline, andcompliance costs are as unavoidable as cybercrime. However, we willneed to expand the scope of our security thinking. Focusing oncompliance alone as a security strategy is not enough anymore. Justbecause an item doesn't fall under a regulation doesn't mean it'snot sensitive data. If compliance is the only basis of a dataprotection strategy, it risks not being secure even though it mightbe in compliance.

A compliance-driven view of data security simply does not equala more secure environment. When we look at data through acompliance lens only, we often only see two types of data:Regulated or not regulated. But the reality is not that simple.Sensitive data exists beyond the realm of data that falls undercompliance. Corporate secrets, customer preferences, salescontacts, the timing and planning of a new product launch,financial data – all of these are sensitive and need to beprotected because, in case of a breach, they can be the source ofsignificant post-breach losses.

The intersection of cybercrime and compliance occurs at the verysource of our security efforts – protecting sensitive data. And thenecessity of that protection continues to evolve beyond “hacking.”Current threats include data manipulation, reputation damage andloss of competitive advantage.

Let's take a step back. What exactly makes data sensitive? Bydefinition, sensitive data is information that must be protectedfrom unauthorized access to safeguard the privacy or security of anindividual or organization. What does that mean to you, the persontasked with protecting the privacy and security of yourorganization, and the privacy of your members, partners andemployees? It likely means that sensitive data is any data that iflost, stolen or exposed could financially harm an organization,cause reputational damage or be a reason for termination.

Financial services organizations have established themselves atthe forefront of monetizing technology and protecting their systemsand information within. The speed and velocity of sensitive datacreation poses a new challenge to this sector. The increasingpremiums of cyber insurance along with newly introduced limitsreduce the effectiveness of risk transferal as a viable means ofmanaging cyber risk. In plain language, the 2013 Target breach costthe company an estimated $264 million, only $90 million of whichTarget will recoup from insurance policies. Similarly, Home Depotincurred an estimated $234 million in expenses, with insurancecovering only about $100 million of that. And both companies arefacing steep increases in premiums along with everyone else alsoseeking cyber insurance.

While non-insurable, post-breach damages continue to skyrocket,organizations' ability to locate their sensitive data is notkeeping pace, as is illustrated by another high profile incident,the Sony breach. It highlights just how much most organizations maynot know about where their sensitive data resides: There were 601files that contained Social Security numbers, 523 of which wereExcel spreadsheets. More than 3,000 of those Social Securitynumbers appeared in more than 100 locations. This represents just asnapshot of the company's sensitive data footprint. That large afootprint would challenge even the best information securityteam.

The lessons from these examples point not to a lack of securitycontrols, but mostly to the challenges of understanding wheresensitive data resides. Our ability to place the proper securitycontrols on and around data begins with knowing all of the placeswhere data resides and understanding what the data is. These arethe pillars of a solid financial data security program.

Gabriel Gumbs is vice president of product strategy andtechnical marketing for Identity Finder. He can be reachedat 646-863-8301 or [email protected].